Latest IPC Decisions

The complainant made an access and correction request to Alexandra Marine and General Hospital (the hospital) under the Personal Health Information Protection Act (the Act). Upon receipt of his records of personal health information, the complainant requested corrections of the information in them. He also believed that further records exist that are responsive to his access request, raising the issue of reasonable search. In this decision, the adjudicator finds that the exception to the duty to correct at section 55(9)(b) (good faith professional opinion or observation) applies. The hospital’s decision to not make the requested corrections is upheld. With respect to the hospital’s search for responsive records, the adjudicator upholds the hospital’s search with one exception and orders the hospital to conduct a further search for a particular mental health assessment and issue a new decision letter to the complainant with respect to the results of the search.

The office of the Information and Privacy Commissioner/Ontario (IPC or this office) received a complaint under the Personal Health Information and Protection Act (the Act) against a pharmacy. The complaint related to the unauthorized collection of personal health information. Specifically, pharmacy staff attempted to collect the complainant’s health card number in order to fill her prescription. This was the second incident of this nature reported to this office.
This Decision finds that the pharmacy did not collect the complainant’s health card number, and therefore, did not contravene the Act. However, the Decision also finds that the pharmacy staff lacked education and training around the collection of health cards under the Act and failed to properly communicate the pharmacy’s policy to this complainant that the production of her health card was voluntary.
In response to this complaint, the pharmacy has taken a number of steps including training its staff and revising its information practices around health cards and health card numbers. In light of the actions taken by the pharmacy, I have decided no formal review of this matter will be conducted under Part VI of PHIPA.

The complainant’s information was contained in records of a children’s aid society (the CAS) relating to reports that a child suffered harm while in his care as a babysitter. The complainant sought access to all of his personal information in the CAS’s files. The CAS provided the complainant with a severed copy of records containing his personal information. The complainant then filed a complaint with the Information and Privacy Commissioner of Ontario (IPC), asking the IPC to review the CAS’s decision to withhold information in the records from him.
Exercising her discretion under sections 317(3) and 317(4) of the Child, Youth and Family Services Act, 2017 (the Act), the adjudicator determines that there are no reasonable grounds to conduct a review of the subject-matter of the complaint and that a review is not warranted. She bases her determination on her finding that the complainant has no right of access to the records under section 312(1) of the Act because the records do not relate to “the provision of a service” to him as required for the application of that section. As a result, the adjudicator declines to conduct a review and she dismisses the complaint.

The Office of the Information and Privacy Commissioner of Ontario received a complaint under the Personal Health Information Protection Act, 2004 (the Act) about an alleged unauthorized use of patients’ personal health information by three doctors of a public hospital. This decision finds that the use of the personal health information by two of the three doctors to be in accordance with the Act. According to the audit information provided by the hospital, the third doctor did not access the patients’ personal health information.

This decision concerns a complainant’s request under Part X of the Child, Youth and Family Services Act, 2017 (the Act) for records about a family member. It considers the right of access in Part X to records of an individual’s personal information that relate to the provision of a service to the individual. It also considers the potential relevance of sections of Part X that permit or require the disclosure of personal information in some circumstances.

In this decision, the adjudicator finds that the complainant does not have a right of access to personal information of his family member under the Act, because he is neither the individual to whom the personal information relates, nor an authorized substitute decision-maker for that individual. She also finds that the service provider properly exercised its discretion under a potentially applicable section of the Act that permits disclosure in some circumstances. In the result, she upholds the service provider’s refusal of the complainant’s request for his family member’s personal information. She also upholds the service provider’s search for other records within its custody or control about the complainant and other family members. She dismisses the complaint.

The complainant’s representative submitted a correction request under the Personal Health Information Protection Act to the Central LHIN operating as the Home and Community Care Support Services – Central (the custodian). The complainant submits that a home care assessment form contains a number of errors. The custodian agreed to make some corrections, but not others. In this decision, the adjudicator finds that the exception to the duty to correct at section 55(9)(b) (good faith professional opinion or observation) applies. The custodian’s decision to not make the requested corrections is upheld.

The Office of the Information and Privacy Commissioner of Ontario received three related privacy complaints about the University of Guelph (the university). The complaints concerned the university’s collection of information relating to the COVID-19 vaccination status of students who wished to live on residence for the 2021–2022 academic year. The complainants believed that the collection breached the students’ privacy under the Freedom of Information and Protection of Privacy Act (the Act).

This report finds that the information at issue is “personal information” as defined in section 2(1) of the Act. It also finds that the collection of the personal information and the notice of collection were in accordance with sections 38(2) and 39(2) of the Act, respectively.

This decision and related PHIPA Decision 177 address a complainant’s allegations that a number of individuals at two hospitals made unauthorized accesses to records of his son’s personal health information after his son’s death. The records at issue in both decisions are contained in a shared electronic medical records system (EMR) accessible to both hospitals.
This decision addresses the allegations concerning accesses to EMR records in the custody or control of Windsor Regional Hospital – Ouellete Campus (WRH), as well as accesses by WRH agents to records in the custody or control of the other hospital, Hôtel-Dieu Grace Healthcare. In this decision, the adjudicator declines to consider the complaint against a WRH doctor in respect of two accesses in the EMR, because that matter has been appropriately dealt with in previous proceedings before the College of Physicians and Surgeons of Ontario. She finds that the remaining accesses were made in accordance with the Personal Health Information Protection Act, 2004 (PHIPA), generally in relation to quality of care purposes permitted under PHIPA. She also finds that WRH generally complied with its obligations under PHIPA to take reasonable steps to protect personal health information in its custody or control, and to respond adequately to the complaint. As a result, she concludes the review without issuing an order. However, the adjudicator makes some comments and one recommendation to clarify WRH’s obligations under PHIPA and to help improve its privacy practices in future.

This decision and related PHIPA Decision 176 address a complainant’s allegations that a number of individuals at two hospitals made unauthorized accesses to records of his son’s personal health information after his son’s death. The records at issue in both decisions are contained in a shared electronic medical records system (EMR) accessible to both hospitals.
This decision addresses the allegations concerning accesses to EMR records in the custody or control of Hôtel-Dieu Grace Healthcare (HDGH), as well as accesses by an HDGH agent to a record in the custody or control of the other hospital, Windsor Regional Hospital – Ouellete Campus. In this decision, the adjudicator finds that the accesses at issue were made in accordance with the Personal Health Information Protection Act, 2004 (PHIPA), generally in relation to quality of care purposes permitted under PHIPA. She also finds that HDGH complied with its obligations under PHIPA to take reasonable steps to protect personal health information in its custody or control, and to respond adequately to the complaint. As a result, she concludes the review without issuing an order. However, the adjudicator makes some comments to help improve HDGH’s privacy practices in future.

This investigation file was opened following the publication of a Toronto Star article in 2019 (the Article). The Article reported that a company that sells and supports electronic medical record software in primary care practices in Ontario, was anonymizing health data and selling the data to a third party corporation. In response to the article, the Office of the Information and Privacy Commissioner of Ontario commenced a review under the Personal Health Information Protection Act (the Act) and sought to identify the individual or entity who allegedly de-identified and sold the data.

The corporation that was identified as having sold the information was named as a respondent in this investigation and a number of other respondents were also added, one of which was identified as the health information custodian.

This Decision concludes that the act or process of de-identifying personal health information is a “use” within the meaning of section 2 of the Act, and that the use of personal health information for the purpose of de-identification is permitted without the consent of the individual, where the conditions set out under subsection 37(1)(f) of the Act are met. At the time of this investigation, the health information custodian’s written public statement about its information practices did not comply with section 16(1)(a) of the Act. However, this issue has since been remedied and the custodian’s updated privacy policy now meets the requirements of the Act by explicitly describing its practice of de-identifying personal health information and selling the information to a third party for a number of purposes, including for health-related research. With regard to the de-identified personal health information, the custodian has complied with subsection 12(1) of the Act, in that reasonable steps have now been taken to ensure the protection of personal health information by amending the sale agreement to include additional privacy and security controls. Further, the IPC has no information to suggest that the personal health information was not properly de-identified within the meaning of the Act.

Accordingly, this review will be concluded without proceeding to the adjudication stage and without an order being issued by this office.

A public hospital (the hospital) contacted the Information and Privacy Commissioner/Ontario (the IPC) to report two privacy breaches under the Personal Health Information Protection Act, 2004 (PHIPA or the Act). Specifically, and unrelated to each other, a clerk and a nurse had each accessed the personal health information of many patients without authorization. In light of the steps taken by the hospital to address both breaches, no formal review of this matter will be conducted under Part VI of the Act.

The complainant requested a reconsideration of PHIPA Decision 99, which dealt with a complaint made under the Personal Health Information Protection Act (the Act) about a physician. In that complaint, the complainant alleged that the physician did not conduct a reasonable search for records responsive to her access request and that the physician improperly refused to make requested corrections to her records of personal health information. In PHIPA Decision 99, the adjudicator upheld the physician’s search for records as reasonable and upheld the physician’s refusal to make the requested corrections to the records. In this reconsideration decision, the adjudicator determines that there are no grounds for reconsideration and the complainant’s request for reconsideration is dismissed. The adjudicator also dismisses the complainant’s allegation of a reasonable apprehension of bias.

The complainant, a teacher who was interviewed by a children’s aid society (CAS) as part of an investigation, requested the correction of the CAS record detailing his interview. The CAS, which had provided the complainant with a severed copy of the record of his interview, refused the correction request and advised the complainant that he could make a complaint about the refusal to the Information and Privacy Commissioner of Ontario under the Child, Youth and Family Services Act, 2017.

The adjudicator determines that there are no reasonable grounds to conduct a review of the subject-matter of the complaint and that a review is not warranted. She bases her determination on her finding that the complainant has no right to request that the children’s aid society correct the record under section 315(2) of the Act because he has no right of access to the record under section 312(1) of the Act; an individual’s right to request a correction under section 315(2) is limited to records to which the individual has a right of access under section 312(1). As a result, the adjudicator declines to conduct a review and she dismisses the complaint.

This reconsideration decision addresses the complainant’s request for reconsideration of PHIPA Decision 170. In that decision, the adjudicator found that the respondent hospital was not required to correct a record of the complainant’s personal health information because the exception for good faith opinion or observation under section 55(9)(b) of the Personal Health Information Protection Act, 2004 applied. The adjudicator finds that the complainant has not established any ground for reconsideration under section 27.01 of the Code of Procedure for Matters under the Personal Health Information Protection Act, 2004 and denies the request.

The Office of the Information and Privacy Commissioner of Ontario (the IPC) received a privacy complaint from the parents of students of the Halton District School Board (the board), objecting to the board’s use of third party apps (“apps”), and the associated collection, use, and disclosure of students’ personal information. The complainant alleged that the board’s utilization of these apps contravened the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA or the Act). The complainants’ concerns included a failure to regulate the third party apps available to students via the board’s platform, a failure to track which apps had collected students’ personal information and what information they had collected, the posting of students’ personal information without knowledge or consent, and third party apps advertising to students. The complainants also stated that the board does not have reasonable measures in place to ensure that third party vendors protect the security of student personal information.

This report concludes that the board’s catalogue system regulating the apps that collect, use, and disclose students’ personal information is in partial compliance with the Act, but that the board’s notice of collection was deficient. This report concludes that personal information was used for advertising or marketing purposes, contrary to the provisions of the Act. This report recommends that the board review its usage agreements with vendors, and revise the agreements to expressly prohibit the use of personal information by vendors for advertising or marketing purposes and to ensure that vendors only use personal information for the board’s education-related purposes. This report further recommends that the board review which apps use personal information for marketing or advertising purposes, and take the steps needed to prevent vendors from using personal information for those purposes going forward.

This report also concludes that the board does not have reasonable contractual and oversight measures in place to ensure the privacy and security of the personal information of its students. This report recommends that the board revise its usage agreement to require vendors to notify the board when they have been compelled by law to disclose personal information. This report further recommends that the board revise its usage agreement to include both a requirement that vendors delete data for accounts no longer in use and a commitment by vendors to confirm, on the board’s request, that this deletion had occurred. Finally, this report recommends that the board’s usage agreement include both an audit requirement and a term stating that vendors’ obligations regarding personal information continue to apply, regardless of any changes to a vendor’s business name, structure, or ownership.